Skip to content

fix: patch glib to address RUSTSEC-2024-0429 unsoundness#3

Closed
bb111189 wants to merge 1 commit intomainfrom
fix/dependabot-alert-8-glib-unsoundness
Closed

fix: patch glib to address RUSTSEC-2024-0429 unsoundness#3
bb111189 wants to merge 1 commit intomainfrom
fix/dependabot-alert-8-glib-unsoundness

Conversation

@bb111189
Copy link
Copy Markdown
Contributor

@bb111189 bb111189 commented Feb 12, 2026

Summary

  • Patch glib 0.18.5 via [patch.crates-io] pointing to alt-research/gtk-rs-core branch 0.18-patched, which backports the fix from gtk-rs/gtk-rs-core#1343 for RUSTSEC-2024-0429 (unsoundness in VariantStrIter::impl_get)
  • Upstream only patched glib >= 0.20.0, but Tauri 2.x depends on the gtk-rs 0.18.x ecosystem, so a direct version bump is not possible
  • Addresses Dependabot alert fix: upgrade ajv override to v8.18.0 #8

Test plan

  • cargo update -p glib succeeds and Cargo.lock references the patched fork
  • Verify Dependabot alert is resolved after merge

@bb111189
fix: patch glib 0.18.5 to address RUSTSEC-2024-0429 (VariantStrIter u…
839c20b 
…nsoundness)

Use [patch.crates-io] to redirect glib to alt-research/gtk-rs-core
0.18-patched branch, which backports the fix from gtk-rs/gtk-rs-core#1343.

Upstream only patched glib >= 0.20.0, but Tauri 2.x depends on the
gtk-rs 0.18.x ecosystem. The fix is a two-line change (immutable to
mutable reference in VariantStrIter::impl_get).
@bb111189 bb111189 closed this Feb 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bb111189